docker: build an image with proper permissions

Signed-off-by: Austin Seipp <aseipp@pobox.com>
Change-Id: I3cbf2c4cdb1c15c87e95973a04ac5efa

Author: thoughtpolice

.github/workflows/docker.yml

@@ -10,17 +10,19 @@ env:
 
 jobs:
   build:
+    strategy:
+      fail-fast: false
+      matrix:
+        runner: [ X64, arm-runner ]
     name: "update: build and deploy postgres server images"
-    runs-on: ubuntu-latest
+    runs-on: [ self-hosted, ${{ matrix.runner }} ]
     permissions:
       contents: read
       packages: write
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
         with:
           fetch-depth: 0
-      - uses: DeterminateSystems/nix-installer-action@65d7c888b2778e8cf30a07a88422ccb23499bfb8
-      - uses: DeterminateSystems/magic-nix-cache-action@749fc5bbc9fa49d60c2b93f6c4bc867b82e1d295
       - uses: actions/checkout@v3
 
       - name: Build images

docker/init.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# shellcheck shell=bash
+
+sudo -u postgres /bin/initdb --locale=C -D /data
+sudo -u postgres ln -s /etc/postgresql.conf /data/postgresql.conf
+sudo -u postgres /bin/postgres -p 5432 -D /data

docs/docker.md

@@ -0,0 +1,14 @@
+Docker images are pushed to `ghcr.io` on every commit. Try the following:
+
+```
+docker run --rm -it ghcr.io/supabase/nix-postgres-15:latest
+```
+
+Every Docker image that is built on every push is given a tag that exactly
+corresponds to a Git commit in the repository — for example commit
+[d3e0c39d34e1bb4d37e058175a7bc376620f6868](https://github.com/supabase/nix-postgres/commit/d3e0c39d34e1bb4d37e058175a7bc376620f6868)
+in this repository has a tag in the container registry which can be used to pull
+exactly that version.
+
+This just starts the server. Client container images are not provided; you can
+use `nix run` for that, as outlined [here](./start-client-server.md).

flake.nix

@@ -173,13 +173,43 @@
 
         # Make a Docker Image from a given PostgreSQL version and binary package.
         makePostgresDocker = version: binPackage:
-          pkgs.dockerTools.buildLayeredImage {
+          let
+            initScript = pkgs.runCommand "docker-init.sh" {} ''
+              mkdir -p $out/bin
+              cp ${./docker/init.sh} $out/bin/init.sh
+              chmod +x $out/bin/init.sh
+            '';
+
+            postgresqlConfig = pkgs.runCommand "postgresql.conf" {} ''
+              mkdir -p $out/etc/
+              substitute ${./tests/postgresql.conf.in} $out/etc/postgresql.conf \
+                --subst-var-by PGSODIUM_GETKEY_SCRIPT "${./tests/util/pgsodium_getkey.sh}"
+            '';
+
+          in pkgs.dockerTools.buildImage {
             name = "postgresql-${version}";
             tag = "latest";
-            contents = with pkgs; [ coreutils bash binPackage ];
+
+            runAsRoot = ''
+              #!${pkgs.runtimeShell}
+              ${pkgs.dockerTools.shadowSetup}
+              groupadd -r postgres
+              useradd -r -g postgres postgres
+              mkdir -p /data /run/postgresql
+              chown postgres:postgres /data /run/postgresql
+            '';
+
+            copyToRoot = pkgs.buildEnv {
+              name = "image-root";
+              paths = with pkgs; [
+                initScript coreutils bash binPackage
+                dockerTools.binSh sudo postgresqlConfig
+              ];
+              pathsToLink = [ "/bin" "/etc" "/var" "/share" ];
+            };
 
             config = {
-              Cmd = [ "/bin/postgres" ];
+              Cmd = [ "/bin/init.sh" ];
               ExposedPorts = { "5432/tcp" = {}; };
               WorkingDir = "/data";
               Volumes = { "/data" = { }; };

tests/postgresql.conf.in

@@ -57,10 +57,7 @@
 
 # - Connection Settings -
 
-#listen_addresses = 'localhost'		# what IP address(es) to listen on;
-					# comma-separated list of addresses;
-					# defaults to 'localhost'; use '*' for all
-					# (change requires restart)
+listen_addresses = '*'		# what IP address(es) to listen on;
 #port = 5432				# (change requires restart)
 max_connections = 100			# (change requires restart)
 #superuser_reserved_connections = 3	# (change requires restart)